Sounds like you have a sales "opportunity" to get them on filtering, but also sounds like filtering won't help with the flood. Is this flood with or without the nobody alias?
I would definitely be contacting the authorities as this amounts to a DOS attack. Maybe others who have dealt with this before can offer advice on who to contact and how to work with them...? Darin. ----- Original Message ----- From: "Darryl Koster" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 11, 2004 10:06 AM Subject: RE: [Declude.JunkMail] 2,000,000 + emails today The problem with it is we give clients the choice if they want to be on the filters or not, they have made the choice not to be on the filters. We put them on it anyway and then we ended having to remove the mx records for them. The qmail server (our spool server) had no problems keep up, it kept on accepting mail etc. The problem came in though when we had 100,000 plus in the queue and it kept sending all these e-mails over to the imail server ever x minutes and it would flood the server, after 12 hours the servers just could not keep up anymore with the amount of incoming and outgoing mails. Darryl PS. As I think I stated earlier, knowing me I have something wrong on some shi**y little setting I have not looked at in years and its causing a problem now. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Wednesday, March 10, 2004 10:45 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] 2,000,000 + emails today Hmmm...so no chance of an envelope rejection when it's destined for valid email addresses. Anyone heard of envelope rejection by subject word/phrase? That could be useful in the future as they get more nimble. Perhaps even Bayesian filtering on it... Darryl, it looks like there's no choice but to process the messages (I'm sure most will get junked by your filters), and gather evidence in hope that authorities can use it to track down and shut down the spammer. Darin. ----- Original Message ----- From: "Matt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 9:16 PM Subject: Re: [Declude.JunkMail] 2,000,000 + emails today In this case, headers don't provide any benefit because this stuff all comes from zombies with forged info. It's the payload links, where they might be redirected to and/or is hosted , where their DNS is hosted, and where their names were registered. Chances are that everything can be tracked back to the same spam gang. I searched the newsgroups for one of the subjects, and found a bunch of zero day domains, one of which was still active and hosting images for this spam, turwy33.info. I then looked up the IP and found it listed in SBL fresh as of today: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL14807 This has been attributed to ROKSO spammer MailTrain, who's evidence file can be found at the following: http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=MailTrain Here's the full list of their current SBL listings...lots from China, as all good pill spammers who need dishonest hosts go (unless they can get a good rate at Exodus): http://www.spamhaus.org/rokso/sbl_listings.lasso?spammer=MailTrain&rokso_id= ROK One of the contacts listed in SBL shows that at least one of these guys is Scott's neighbor (figuratively). I would be curious about whether or not this was the same spammer causing issues with Darin. Nevertheless, everyone should turn off the Nobody alias for fear that they might get harvested from not rejecting a dictionary attack during the SMTP envelope. Matt Darryl Koster wrote: >We generally do not have nobody alias's set on the domains we have, this was >set up to capture some of the emails that were being held by the server so >we could look at the headers. Once we knew we had enough of them to work >with we removed the nobody alias. Basically those 10 Megs worth of emails >span about 10 minutes worth of time. > > >Here are a couple sample headers. The IP range found within some of the >(207.164.190.***) is our IP Range. > > >Take a look, there are two of them I have not been able to find any >similarities between them. There are hundreds like this. > > > >Darryl Koster > > > >-----------HEADER ONE -------------------------- >>From <[EMAIL PROTECTED]> Wed Mar 10 15:30:58 2004 >Received: from mx2.statusconcepts.com [207.164.190.21] by >mail.statustechnologies.com > (SMTPD32-7.07) id AAF069B8010C; Wed, 10 Mar 2004 15:30:40 -0500 >Received: (qmail 32104 invoked from network); 10 Mar 2004 16:44:32 -0000 >Received: from spr1-brig5-3-0-cust133.lond.broadband.ntl.com (80.3.72.133) > by mx2.statusconcepts.com with SMTP; 10 Mar 2004 16:44:32 -0000 >Received: from (HELO idif) [126.202.95.91] by >spr1-brig5-3-0-cust133.lond.broadband.ntl.com SMTP id T5WrKU8YPux1cX; Sat, >13 Mar 2004 15:38:00 -0600 >Message-ID: <[EMAIL PROTECTED]> >From: "Lakisha Woody" <[EMAIL PROTECTED]> >Reply-To: "Lakisha Woody" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> >Subject: turn your Spud into a stud!! m >Date: Sat, 13 Mar 04 15:38:00 GMT >X-Mailer: Microsoft Outlook Express 6.00.2462.0000 >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="B0DD5_.B3._EBFDDB0" >X-Priority: 3 >X-MSMail-Priority: Normal >X-Declude-Sender: [EMAIL PROTECTED] [207.164.190.21] >X-Declude-Spoolname: D7af069b8010ca4e1.SMD >X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for >spam. >X-Note: If there are problems please contact >[EMAIL PROTECTED] >X-Note: http://www.statustechnologeis.com >X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, IPNOTINMX, >NOLEGITCONTENT, ROUTING, BODYFILTER, SPAM-DOMAINS, WEIGHT10, WEIGHT30 [55] >X-RCPT-TO: <[EMAIL PROTECTED]> >Status: U >X-UIDL: 378950659 > > >--B0DD5_.B3._EBFDDB0 >Content-Type: text/html; >Content-Transfer-Encoding: quoted-printable > > > > >--------------------------------HEADER TWO ------------------------------- > > > >>From <[EMAIL PROTECTED]> Wed Mar 10 16:00:13 2004 >Received: from mx2.statusconcepts.com [207.164.190.21] by >mail.statustechnologies.com > (SMTPD32-7.07) id ADD9621B00AE; Wed, 10 Mar 2004 15:43:05 -0500 >Received: (qmail 1595 invoked from network); 10 Mar 2004 16:48:27 -0000 >Received: from c-24-12-20-130.client.comcast.net (24.12.20.130) > by mx2.statusconcepts.com with SMTP; 10 Mar 2004 16:48:27 -0000 >Received: from [218.175.132.210] by c-24-12-20-130.client.comcast.net with >ESMTP id 05811379 for <[EMAIL PROTECTED]>; Sat, 13 Mar 2004 17:37:56 -0400 >Message-ID: <[EMAIL PROTECTED]> >From: "Melissa Funk" <[EMAIL PROTECTED]> >Reply-To: "Melissa Funk" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Cc: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> >Subject: This email is for Men! uukvx xga pxd hclt >Date: Sat, 13 Mar 04 17:37:56 GMT >X-Mailer: The Bat! (v1.52f) Business >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="B0DD5_.B3._EBFDDB0" >X-Priority: 3 >X-MSMail-Priority: Normal >X-Declude-Sender: [EMAIL PROTECTED] [207.164.190.21] >X-Declude-Spoolname: D7dd9621b00ae0338.SMD >X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for >spam. >X-Note: If there are problems please contact >[EMAIL PROTECTED] >X-Note: http://www.statustechnologeis.com >X-Spam-Tests-Failed: NOPOSTMASTER, BADHEADERS, IPNOTINMX, NOLEGITCONTENT, >BODYFILTER, GIBBERISHSUB, SPAM-DOMAINS, WEIGHT10, WEIGHT30, WEIGHT100 [149] >X-RCPT-TO: <[EMAIL PROTECTED]> >Status: U >X-UIDL: 378952512 > > > >--- >[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > > > > -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. _____________________________________ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. _____________________________________ [This E-mail virus scanned by 4C Web] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
